Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: Eventvwr File-less UAC Bypass CNA  (Read 1858 times)

0 Members and 1 Guest are viewing this topic.


  • Guest
Eventvwr File-less UAC Bypass CNA
« on: September 28, 2017, 11:30:51 pm »

Matt Nelson recently released a very useful, file-less UAC bypass using Event Viewer which was quickly implemented in to a Metasploit module by @TheColonial. Following this, we decided to release our own implementation in the form of a Cobalt Strike CNA script. The current default UAC bypass in Cobalt Strike requires DLL hijacking and drops a temporary DLL artefact to disk, as shown in the following:

Bypassuac-eventvwr was created as a way to easily utilise the EventVwr UAC bypass technique and maintain good opsec practices by not touching disk. This method does not require writing to disk and therefore should be AV friendly.
The CNA script currently performs the following:

    Write registry path hijack
    Execute eventvwr.exe
    When eventvwr.exe executes, the hijack will be called
    If SMB is used, linking is performed to the new beacon
    Delete registry path hijack
    Enjoy elevated beacon
An example usage is shown below: